We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

In its first data security enforcement action, the CFPB ventured into the FTC’s usual enforcement territory and obtained a consent order against Dwolla Inc., an online payment company. The company has agreed to pay a $100,000 penalty, stop misrepresenting its data security practices, and take corrective action by training employees and improving data security and customer authentication. The CFPB also required Dwolla, among other things, to hire an independent expert to audit data security annually for five years, develop a written information security program, and asses security risks biannually. The full consent order can be viewed here.

The CFPB typically focuses on tangible consumer harm. Despite this focus, there was no evidence that consumers were tangibly harmed by Dwolla, no consumers complained to Dwolla or to the CFPB, nor was there a data breach. CFPB was able to engage in this preemptive enforcement by relying on its authority to police deceptive acts and practices under Dodd-Frank’s prohibition against “unfair, deceptive, and abusive practices,” which requires only that conduct misleads or is likely to mislead the consumer.

In this case, Dwolla stated on its website and other communications that its data security practices exceed industry standards and that information is fully encrypted in storage and in transmission. The CFPB found these claims to be material to consumers because the claims were likely to affect consumers’ choices of whether to use Dwolla’s services. The CFPB found the company fell short of these representations because it failed to implement data security procedures appropriate for the company and its services, conduct risk assessments, train employees, and use encryption technology to properly safeguard sensitive consumer information.

Thus, any company that claims its data security exceeds industry standards, without backing such claims with robust security practices, may garner the attention of the CFPB and other authorities. Consequently, companies need to be aware of data security during regulatory examinations or other actions. They should ensure that their privacy policies meet minimum requirements but also don’t overstate any security capabilities. This isn’t limited to just privacy policies or fine print—other representations made to the public can also be deemed deceptive, including those from customer service representatives. Moreover, actual data security practices should at minimum match, and ideally exceed, representations in privacy policies and elsewhere.

Moving forward, cyber security will continue to be a cornerstone for many regulatory agencies, not just the CFPB. The CFPB will likely incorporate data security and privacy into its guidance manuals as well. Companies are encouraged to monitor enforcement actions as this regulatory area continues to develop.

Compare jurisdictions:Data Security & Cybercrime

"Lexology is a good barometer of a firm's expertise as the articles showcase a firm's understanding of the issues involved and how up to date their knowledge is. It's a good one stop solution where one is able to view the same law/cases from different perspectives; on the whole I would rate Lexology as a good service."